CVE-2023-6291: 
Java vulnerability analysis and mitigation

A flaw was discovered in the redirect_uri validation logic in Keycloak (CVE-2023-6291), identified in late 2023. The vulnerability affects Keycloak's authentication system and its implementation across Red Hat Single Sign-On (versions 7.6.x) and Red Hat build of Keycloak products. The issue stems from a validation bypass that could allow unauthorized redirection to malicious hosts (Red Hat CVE).

The vulnerability exists in the verifyRedirectUri method where there is a desynchronization between how Keycloak and browsers interpret URLs. When Keycloak receives a specially crafted URL like 'https://www%2ekeycloak%2eorg%2fapp%2f:y@example.com', it incorrectly interprets the authority as keycloak.org when it should be example.com. This occurs because the validation logic is performed on a URL decoded version that no longer represents the original input (Bugzilla Report).

A successful exploitation of this vulnerability could lead to an access token being stolen, enabling an attacker to impersonate other users. This poses a significant security risk as it could allow unauthorized access to protected resources and user accounts (Red Hat Advisory).

Red Hat has released security updates to address this vulnerability across multiple products. Updates are available for Red Hat Single Sign-On 7.6.7, Red Hat build of Keycloak 22.0.7, and related container images. Users are strongly advised to update to the latest versions that contain the security fixes (Red Hat Advisory).